The Monitoring at Work Code, published last month, gives employers a guide
to when and how they can monitor staff.katherine o’brien discusses some
Paper UK (PUK) is a paper distribution company with about 100
employees. Employees work either at the company’s head office, or at the
customer advice centre taking queries from customers. The HR manager has read
about the new code for monitoring employees, and wants to know what PUK should
Katherine O’Brien comments: The third part of the Employment Practices
Data Protection Code – Monitoring at Work (published on 11 June 2003 after a
lengthy consultation process) provides employers with guidance on how they
can monitor job applicants, employees and other staff.
Monitoring is an intrinsic part of the employment relationship, and
technological developments mean employers hold extensive information on their
staff – often collected automatically and without too much thought. Staff may
be filmed on CCTV as they arrive or leave work, electronic swipe cards will
indicate their whereabouts on the employer’s premises, and computer logs are
created when staff switch on their computers.
During the day, records indicate staff access to the internet and sites
visited. E-mails sent and received are recorded as well as telephone calls. If
staff are provided with work mobile telephones or company cars, then management
often makes records of use.
The Code lays down guidelines for steps employers should take in deciding
whether any particular form of monitoring is appropriate in the circumstances.
Any adverse impact of monitoring on individuals has to be justified by the
benefits received. The Code recommends using specific impact assessments to decide
whether or not this is the case, to establish what monitoring is to be carried
out and to whether a monitoring arrangement is a proportionate response to the
problem to be addressed.
An impact assessment involves:
– Identifying the purpose behind the monitoring arrangement and the benefits
it is likely to deliver
– Identifying any likely adverse impact of the monitoring arrangement
– Considering alternatives to monitoring or different ways in which it might
be carried out
– Taking into account the obligations that arise from monitoring
– Judging whether monitoring is justified.
The following factors may establish whether there is an adverse impact on
staff and customers of the organisation:
– What intrusion will there be in private lives or interference with private
– How much information do staff have on how and when they are monitored? The
more information provided the better, as it allows staff to limit the adverse
impact on them
– Will there be any impact on the relationship of mutual trust and
confidence between the staff and employer or any other confidential
relationship, such as, for example, trade union representatives?
– As part of the impact assessment, it is important to consider the least
intrusive method of monitoring possible and alternatives to monitoring
– In establishing that staff are complying with company policy and
procedure, using different methods of supervision, training and clearer
communication may deliver acceptable results
– Specific incidents can be investigated by accessing stored e-mails, rather
than undertaking continuous monitoring. Monitoring can also be limited to staff
about whom complaints have been received or areas of high risk
– Automated monitoring is less intrusive and means the personal information
is only ‘seen’ by a machine
– Spot-checks or audits can be undertaken rather than continuous monitoring
(depending on the circumstances, as sometimes continuous monitoring can be less
intrusive than human intervention).
As well as the aspects mentioned above, deciding whether a current or
proposed method of monitoring is justified involves emphasising the need to be
fair to staff, ensuring any intrusion is no more than necessary. Any significant
intrusion will only be justified if the employer’s business is at serious risk.
Consultation with staff and/or trade unions can be of assistance when
considering these issues.
PUK has noticed an unusually high amount of stock is being ordered on
a regular basis, and believes some is being stolen. It proposes to set up CCTV
cameras to monitor the situation. Can it do this?
KO’B comments: When carrying out an impact assessment for video
monitoring PUK should consider the following:
– It must establish why it is setting up the CCTV and what benefit it
believes it will obtain. Does it wish to obtain evidence that theft is
occurring, deter future thefts or catch the perpetrators? PUK should also
consider whether it is reasonable to believe stock is being stolen. This will
add weight to the belief that monitoring is required.
– In order to reduce the adverse impact, PUK should consider targeting areas
of particular risk, for example the stockroom. PUK may feel other areas need
monitoring depending on where it feels it is most likely to identify the
perpetrators of any theft. Where possible, monitoring should be confined to
areas where staff expectation of privacy is low (not the staff toilets, for
– Continuous monitoring will only be justified in rare circumstances due to
its particularly intrusive nature
– Are there practical alternatives to CCTV, such as security checks on staff
leaving the building?
– Is PUK able to make it clear that monitoring is taking place and why, in
all areas where the monitoring takes place (placing a prominent sign,
identifying the organisation responsible for monitoring, who is to be contacted
and why it is being done)? This is particularly important in public areas where
people other than staff are likely to be inadvertently caught on camera
– Can PUK justify the continuous monitoring of a particular area? This may
not be so simple if individuals are likely to be continuously monitored, for
example those working in the stockroom.
In limited circumstances, the Data Protection Act 1998 allows covert
monitoring. Covert monitoring should be authorised by senior management, who
must satisfy themselves that there are grounds for suspecting criminal activity
or equivalent malpractice, and that notifying individuals would prejudice its
prevention or detection. A reliable test is whether or not the activity would
be of sufficient seriousness to involve the police (unless covert monitoring is
to be carried out in a private area, in which case a suspicion of a serious
crime and an intention to involve the police is required).
PUK would find covert monitoring difficult to justify when it doesn’t have
an individual in mind.
Personal information collected should only be used for the purposes for
which the monitoring was introduced, unless it is in an individuals’ interest
to use it or if it reveals an activity no reasonable employer could be expected
to ignore (for example, serious harassment).
E-mail and the internet
Staff working in the customer advice centre at PUK take queries from
customers by telephone and e-mail. The manager believes some employees are
spending a large part of their time looking at pornography on the internet and
sending personal e-mails. He wants to check what members of staff are doing.
Can he do it and what methods can be used?
KO’B comments: PUK needs to establish whether it has a current staff
policy regulating electronic communications and whether it establishes
boundaries of acceptable behaviour with regard to e-mail exchange and use of
A policy for the use of electronic communications should incorporate the
– Clear boundaries as to the amount and type of personal communications
– Specified restrictions on what can be viewed or copied from the internet
– Clear instructions as to what would be considered offensive rather than
simply a reference to ‘offensive’ material
– Examples of personal information which staff are permitted to communicate
– Alternatives to electronic communications for passing on personal
– An explanation of the purpose for which any monitoring is conducted, the
extent of monitoring and means used. This should include how the policy is
enforced and the penalties for a breach of that policy.
In addition, PUK must ensure it is not in breach of the Regulation of
Investigatory Powers Act 2000 and Lawful Business Practice Regulations.
Interceptions are not permitted without the consent of the sender and recipient
unless authorised under the regulations. An interception is likely to be
authorised where it is for the purpose of running the business and all
reasonable efforts have been made to inform internal users of the interception.
Once PUK has established the purpose of the monitoring arrangement and the
benefits it will deliver, it should look at any adverse impact and suitable
– Analyse e-mail traffic rather than monitoring the content of messages. If
the content is monitored, PUK may be at risk of breaching its duty of trust and
– Detection of personal communications should be possible from the heading
or address. The content of personal e-mails should only be accessed where there
is a pressing business need to do so
– Establish whether any methods of monitoring can be limited or automated.
Automated systems can provide protection from intrusion and malicious codes and
detect references to particular matters
– Technology that prevents rather than detects misuse could be used to stop
staff accessing unauthorised websites. PUK can also detect time spent accessing
the internet rather than monitoring sites visited or content viewed,
particularly if web access for personal reasons is not permitted
– Monitoring can also be done on an aggregated basis by examining logs of
which sites have been visited and only focusing on specific individuals who
have been identified as problematic. Such a log is also likely to identify
sites accessed accidentally
– In all cases, before further action is taken, staff should be given an
opportunity to explain their actions or challenge any information.
Monitoring e-mails will mean processing information about external people
who should be informed of the monitoring. Staff must also be made aware of the
nature and extent of e-mail and internet access monitoring.
Katherine O’Brien is a trainee solicitor at Lewis Silkin
Find out more on the code at www.dataprotection.gov.uk